Vista Anti-Virus 2011– Seriously, Microsoft?

Last night I was doing some Google queries to research a technical issue I was having with GlusterFS. I clicked on a link Google had suggested for me and suddenly the performance of my system had slowed to a crawl. I assumed that the site had JavaScript, or some other poorly implemented client-side code on it but it was really much worse.

I had been hit by malware…

The first thing I noticed was UAC (User Account Control) confirmation boxes popping up asking me to allow ‘update.exe’ to run on my PC. I obviously told it not to allow this. I assumed it was over, and about 30 seconds later Vista Anti-Virus 2011 opened.

I must admit that my first response to this was embarrassment remembering how many times I had given my friends crap about installing suspicious software and clicking on dodgy links. In fact I had just helped my brother remove this exact same malware over the phone a week earlier. How in the world did this happen? My system has both McAfee Virus Scan Enterprise AND Forefront Client Security installed on it, and I had just upgraded to IE 9. I was completely astonished.

The embarrassment quickly faded and my second response was eradication, I had the malware completely destroyed in less than a minute. It had created two exe files that were marked as SYSTEM and HIDDEN (attrib –H –S to remove hidden and system attributes) and the process was showing up as ‘Steam’ in task manager.

Here are the complete steps I took to wipe this thing out.

1) CTRL-ALT-DEL, Start task manager.

2) Under processes kill the process.

3) Find the files.

4) attrib –H –S kho.exe

5) Delete the files.

Anytime your system is infected with Malware you can assume that there is going to be registry involvement, this case was no different. I opened up regedit and did a search for ‘kho.exe’. It turns out that the scumbags who wrote this software actually registered it as a shell handler for all exe files.

What this means is that every time Windows goes to launch an exe (executable file) it opens it with this malware, and the malware gets to decide what to do with the program. Which means it effectively disables your PC. I reset the modified registry key and everything was back to normal.

My third response was anger and that is mostly what this article focuses on.

In 2011, after all we have been through with the web and security how are things like this possible? How does the average person stand half a snowballs chance in hell of not becoming infected if the manager of a datacenter full of servers can’t even protect his PC? Internet Explorer 9, all updates installed, McAfee Antivirus Enterprise, Microsoft Forefront Client security all completely useless against the might of poorly written malware by criminals?

Seriously, Microsoft? This is the best you can come up with, after all this time? Why is it even possible for a program to install itself from Internet Explorer without any user confirmation? I understand that functionality and usability is a balancing act against security but what possible functionality and usability does this complete lack of sanity give the user in return?